Ubuntu Server: Kernel Comparisons and Implementation Issues

We didn't quite finish up our server kernel vs. desktop kernel comparison, so today we'll wrap that up, plus we'll dig into the included services in Ubuntu Server, amaze at a couple of interesting blunders, and decide what this thing is good for  fueling the tireless Canonical hype machine, or something actually useful?

No doubt about it, Ubuntu Server is sound in concept. It is, however, less stellar in execution. We continue our kernel comparisons and look at when to take the operating system out for a spin.

Unsure About an Acronym or Term?
Search the ServerWatch Glossary

CPU Families

The server kernel uses CONFIG_M686=y, and the desktop kernel gets CONFIG_M586=y. This means that the server kernel is optimized for Pentium Pro instruction sets, and the desktop kernel for the entire 586 and 686 CPU families. This isn't hugely significant, as even a generic 486 kernel will run on modern computers. If you're into compiling your own kernels, the one change you can make that might actually improve performance is to choose the CPU option that matches your own CPU. That way you'll get full support for the instruction set for your CPU.

Leaky IPC Namespaces

Before virtualization became all the rage, there was a single set of Inter-Process Communications (IPC) objects (shared memory segments, message queues, and semaphores) that the kernel used for everything. But virtual environments must keep their own IPCs confined inside their own containers; can't have them leaking out all over the place. So IPC namespaces, or virtualized IPC, were invented. This is enabled in the server kernel (CONFIG_IPC_NS=y, CONFIG_UTS_NS=y) and not in the desktop kernel. Does this means virtual environments are leaky and insecure on the desktop kernel? It seems so; perhaps some smart person will tell us for certain.

The final difference of note is the server kernel supports multiple IPv6 routing tables, which the desktop kernel does not.

"In around 15 minutes ...you can have a LAMP (Linux, Apache, MySQL and PHP) server up and ready to go. This feature, exclusive to Ubuntu Server Edition, is available at the time of installation."

Well no, it's not exclusive. There are many prefab Linux LAMP stacks, with XAMPP for Linux being one of the most comprehensive and versatile. That same page also emphasizes the excellence of the Linux Terminal Server, which is a wonderful thin and diskless-client server. But it's not included with Ubuntu Server, so I'm wondering why it gets so much attention.

I like to see in the release notes, or somewhere close by, a complete package list. I couldn't find one anywhere, nor even a detailed description of what comes in Ubuntu Server. So I installed it on a test system and installed every package group. Then I created a complete package list by running dpkg -l. Ubuntu Server weighs in at nice lean 355 packages, and takes up 899 MB when you select everything.

And thus we learn that Ubuntu Server includes a LAMP stack made from a 2.6.22-14 kernel, Apache 2.2.4, MySQL 5.0, PostgreSQL 8.2, PHP 5.2, Perl 5.8, and Python 2.5. So you get a couple of options for your LAMP: MySQL or PostgreSQL for your database, and PHP, Perl or Python for scripting.

Inexplicable hype aside, you also get Samba for cross-platform network authentication, and file and printer sharing. You even get ntfs-3g for read/write access to Windows NTFS filesystems. There are Postfix and Dovecot for a nice SMTP/POP3/IMAP mail server, CUPS for printing, BIND for name services, and AppArmor for enhanced security. There is a reasonable set of networking packages that support Ethernet, dialup and wireless, and basic set of common networking utilities. It also supports a serial console, but since Ubuntu uses the Upstart init system rather than the old-fashioned Sys-V init, it's configured in /etc/event.d/ ttyS* instead of /etc/inittab.

Installation

The installer itself requires that you stick around to answer questions; it's not like Ubuntu Desktop, which asks everything at the beginning and then you can go away. But it's not too bad, as it installs fairly quickly.

If you install MySQL it will ask if you want to change the default MySQL password. It doesn't tell you what the default password is, and you get only one chance to enter a new password, so you better get it right the first time.

The installer looks for a DHCP server and does not give you the chance to set a static IP address. It would be nice to have the option to set a static address during installation instead of having to remember to do it later.

Missing Sudo and Root Users

The installer prompted me to create only an unprivileged user, which is standard for Ubuntu. Ordinarily this would be a sudo user with full administrative privileges. But that didn't happen  my user was an ordinary unprivileged user who did not exist in /etc/sudoers. So there I was with a server that I couldn't do anything with. Until I booted with a rescue CD and fixed it by resetting the root password, that is.

You always need a "real" root user anyway; some commands don't work with sudo, and the ext3 file system reserves 5 percent exclusively for the root user, so if a user process goes nuts and fills up the filesystem, the root user can still save the day.

Security

Just like Debian, Ubuntu starts services immediately after installation. (Run netstat -untap as root to see what ports are open). So out of the box, your server is open for business. I would rather that none of them start until I've had a chance to configure some access controls, and am darned good and ready to start them. So be extra careful until you have things configured the way you want.

AppArmor is supposed to be the "real world" alternative to SELinux. Unfortunately there is nothing included that explains the default AppArmor configuration, or how to modify it.

Of course you get iptables for packet filtering, just like in any Linux.

Ubuntu pulls packages from Debian Testing, Unstable, and even Experimental. These are not supported by the Debian security team. In addition, the default repositories (/etc/apt/source.list) include Universe and Multiverse, which include these scary messages:

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team..software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.....

Summary

This turned into a long ole review, so let's sum up.

First the good stuff: Ubuntu is an easy, one-CD installation. It's a lean, bare bones package selection with no lard, which I like because it's easier to add things than to wade through and figure out what needs to be deleted.

Some users might have an expectation that Ubuntu Server will be all shiny and easy like Ubuntu Desktop. It's not  you need to know what you're doing, because it doesn't do any hand-holding. It's a honest-to-gosh proper server with no X windows or GUI tools cluttering it up. You can have a GUI via remote administration; for example, Webmin is a high-quality and popular remote GUI administration tool for servers.

The bad stuff: Poor documentation on the Ubuntu-specific customizations; it's too hard to find out what's in it before downloading it. Bleeding-edge package versions are scary for servers, and I question the effectiveness of putting something like AppArmor on a system that is already security-questionable. LAMP security is famously difficult even with conservative package choices and careful attention to security patching. Quality control seems in need of some quality control.

Regarding expectations, I expect that with the funding, resources, and commercial aspirations behind Ubuntu, it should be a marvel of quality, security and stability, and with the awesomest documentation of all. Debian succeeds at all of these with hardly any funding. Debian and Fedora both show how release notes should be done.

The concept behind Ubuntu Server is wonderful  a lean, carefully selected batch of packages that gets you up and running quickly, and that you can easily add to as you need. I can see using Ubuntu Server as a LAN server, and as a training server, but I think opening it up to the Internet is asking for trouble.